1. INTRODUCTION
In an increasingly interconnected and data-driven world, the protection of personal information has become a matter of paramount importance. Individuals and organizations alike process and share vast amounts of personal data regularly, making the safeguarding of this information a critical concern. Recognizing the need to address this pressing issue comprehensively, Nigeria has taken a significant step forward with the enactment of the Nigerian Data Protection Act 2023.1 Prior to the promulgation of the NDPA, the country placed reliance on the Nigerian Data Protection Regulation (NDPR) 2019 and its Implementation Framework (NDPR-IF) 2020 and various sector-specific laws applicable in some industries and practice areas.2 This new legislation marks a pivotal moment in the country's commitment to upholding data privacy rights and enhancing data security in an age where data has become a valuable and vulnerable asset. This article aims to review some key provisions of the new Nigerian Data Protection Act 2023.
2. NOTABLE PROVISIONS OF THE NIGERIA DATA PROTECTION ACT 2023
2.1 Establishment of a Supervisory Authority
The absence of a primary regulatory body responsible for the regulation of data privacy and protection practices in Nigeria had raised concerns amongst stakeholders because the former singular supervisory authority, National Information Technology Development Agency (NITDA), played a general role in the monitoring and management of information technology related matters, alongside its responsibilities as regards data privacy and protection regulation in Nigeria. Even the subsequent creation of the Nigeria Data Protection Bureau (NDPB) was founded on the quasi-administrative powers of the President of Nigeria, which raised a lot of questions on the validity of the powers of the body, which lacked an enabling law at its foundation and implicated the possible usurpation of legislative authority in a field in which the national assembly had already exercised its law-making powers.3 However, the passage of the new Act lays to rest these issues by the formal establishment of the Nigeria Data Protection Commission (NDPC),4 and conferment on the NDPC with distinct and separate powers5 and functions6 for the administration of data protection in Nigeria.
2.2 Recognition of Data Controllers and Data Processors of Major Importance
While still retaining the interpretation of a data controller or processor under the Nigeria Data Protection Regulation (NDPR),7 the new Act provides an added definition and category of “data controller and data processor of major importance.” This means:
“a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.”8
An apt connotation of this definition is that data controllers or data processors would qualify as being of ‘major importance' where the NDPC makes a determination that the data controllers or processors are able to ‘process personal data of more than such number of data subjects in Nigeria' or that the number of personal data processed is ‘of particular value or significance to the economy, society or security of Nigeria.' This provision hinges on the number of personal data that is to be processed to determine who or what constitutes a data controller or data processor of major importance, however it is unclear on the exact amount of personal data that needs to be processed by data controllers or processors to be categorized as ‘data controllers or data processors of major importance,' leaving such determination to the discretion of the NDPC. This uncertainty is yet to be resolved although the NDPC has recently called on controllers and processors to register with the Commission ostensibly in reliance upon the earlier cited provisions relating to controllers and processors of major importance.9
The new Act also entrusts certain responsibilities on data controllers or processors of major importance which also qualify as novel additions in the new Act. They include:
- Compulsory registration of data controllers and data processors of major importance with the NDPC within six months after the commencement of the new Act or on becoming a data controller or processor of major importance.10 However, the prescribes that the NDPC may exempt a class of data controllers or processors of major importance from the registration requirements, where it considers such requirement to be unnecessary or disproportionate.11 Additionally, the Act empowers the NDPC to prescribe fees or levies to be paid by data controllers and processors of major importance upon the completion of the registration.12
- Appointment of a Data Protection Officer possessing expert knowledge of data protection law and practices, and the ability to carry out the tasks prescribed under the new Act and any other subsidiary legislation made under the new Act in relation to such appointment.13
2.3 Lawful Basis of Processing Personal Data
The new Act retains all the lawful bases for processing personal data in the NDPR,14 and introduces a new legal ground in which personal data of a data subject can be processed i.e., legitimate interest. This new ground can be relied upon where the processing is necessary for the purposes of the legitimate interests pursued by the data controller or processor, or by a third party to whom the data is disclosed.15
In this case, a data controller or processor must determine whether a given interest in processing personal data is "legitimate" based on an evaluation of the purpose and necessity of the processing, and assessing whether a data subject's interests outweigh the controller's legitimate interest. The following instances are examples of case scenarios where this purpose may arise, they include the processing of personal data for direct marketing, intra-group/companies' transmission of personal data for internal administrative purposes and ensuring the security of networks and information systems.16
This new addition also contains provisions similar to Article 6 Paragraph 1(f) of the European Union, General Data Protection Regulation (GDPR) 2018.17 However, the GDPR goes further to state that this provision will not apply to the processing of personal data carried out by public authorities in the performance of their tasks.
Despite the recognition of the legitimate interests of a ‘data controller or data processor, or a third party to whom the data is disclosed' as one of the legal bases for personal data processing, these interests may not be considered legitimate in the following instances where:
- they override the fundamental rights, freedoms, and the interests of the data subject,18
- they are incompatible with other lawful basis of processing19 or
- the data subject would not have a reasonable expectation that the personal data would be processed in the manner envisaged.20
2.4 Extensive Safeguards for Processing Childrens' Personal Data
The new Act provides extensive safeguards for processing the personal data of children and persons lacking the legal capacity to give consent. Where a data subject is a child or a person lacking the legal capacity to consent, a data controller is required to obtain the consent of the parent or legal guardian under the new Act.21 A data controller is further required to adopt adequate measures e.g., presentation of any government approved identification documents, in confirming the age of the child and consent obtained taking into consideration available technology to assist with such verification.22
Nevertheless, obtaining the consent of the parent or legal guardian under this provision shall not apply in the following circumstances where the processing is:
- “necessary to protect the vital interests of the child or person lacking the legal capacity to consent,
- carried out for purposes of education, medical, or social care, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality,
- necessary for proceedings before a court relating to the individual”.23
The Act empowers the NDPC to issue guidelines or regulations that will cover issues that may arise in the processing of personal data of a child of 13 years and above in relation to the provision of information and services by electronic means at the specific request of the child.24 Furthermore, it is important for data controllers or processors to note that where consent or authorisation is obtained to process the personal data of children, any processing method adopted in this regard under the new Act shall not be inconsistent with Nigeria's Child Rights Act 2003.25
2.5 Comprehensive Cross Border Data Transfer Provisions26
The new Act provides exhaustive basis for cross-border transfer of personal data between Nigeria and other countries. The relevant provisions on cross-border data transfers seek to clarify the reasons for and the considerations that must be made during the transfer of personal data between countries. They include “(i) adequacy of protection with the recipient country: where the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with the new Act, and (ii) any one of the conditions set out in section 4327 of the Act applies.”28
While the NDPR requires the supervision of the Honourable Attorney General of the Federation of Nigeria amongst other requirements in carrying out a cross-border transfer of personal data, the new Act omits this requirement, and retains only the adequacy of protection and any condition listed in section 43 of the new Act. The whitelist of countries provided by the NDPR Implementation Framework remains a valid reference for the list of countries possessing adequate privacy and data protection laws as the new Act did not repeal the NDPR and its Implementation Framework.29
2.6 Administrative Sanctions
Under the NDPR, violators of data protection laws and regulations in Nigeria are usually issued with enforcement and compliance orders by the data protection supervisory authority (i.e., NITDA or NDPB) which is intended to serve as penalty measures and deterrence to defaulting data controllers or processors. These penalty measures include but are not limited to payment of monetary damages, closure of business operations, ordering the data controller or processor to account for the profits realized from the violation etc. However, the new Act, while retaining majority of these measures,30 now incorporates expansive penalty measures for any data controller or data processor that violates the provision of the new Act and any other subsidiary legislation made under the new Act. One of the few additions is the award of a higher maximum penalty fee in the case of a data controller or processor of major importance and a standard maximum amount in the case of a data controller or processor of no major importance.31 The higher maximum amount is stipulated to be the greater of N10,000,000 and 2% of the annual gross revenue of the data controller or data processor of major importance in the preceding financial year, while the standard maximum amount is the greater of N2,000,000 and 2% of the annual gross revenue of the data controller or data processor of no major importance in the preceding financial year.32
Where a data controller or processor is dissatisfied with an order of the NDPC, such controller or processor can apply to the court for a judicial review within 30 days after the order was made.33
3. DEFICIENCIES IN THE ACT
The Act is indeed a significant improvement on the Nigeria Data Protection Regulation (NDPR). However, there are still some identified lapses requiring attention to guarantee the effective implementation of the Act. Some of which are highlighted below:
- The independence of the supervisory authority as stipulated in the Act raises some concerns that could affect the smooth performance of its functions. The constitution of the governing council suggests a supervening power of the executive arm of government, which may restrict the independence of the commission.
- The Act appears to exclude Nigerians living in foreign countries in its application, as opposed to the express provision of the NDPR which extends the application of the regulation to Nigerian citizens residing outside the country.34 It is unclear if this was a deliberate exclusion or an unintentional omission by the drafters of the Act.
- The introduction of legitimate interest by the Act35 as one of the lawful bases for processing personal data is a commendable inclusion. However, the Act fails to define or provide clarification on the interpretation of legitimate interest. This might pose a challenge in interpreting this new ground for processing personal data and its applicability by data controllers or processors.
- The Act does not stipulate timelines nor provides guidance for certain compliance actions such as filing data audit report, data retention, among other provisions.
- Under the NDPR, all data controllers/processors are required to appoint Data Protection Officers (DPO)36 to ensure adherence to the Regulation. However, the Act limits the appointment of DPOs to data controllers and processors of major importance.37
- The new Act did not specify the amount of personal data that needs to be processed by data controllers or processors to be categorized as ‘data controllers or data processors of major importance. Given the important obligations placed on these categories of controllers/processors, the Commission needs to be swift with releasing a guideline on this issue, to enable controllers/processors that fall within this category to be guided and to comply accordingly.
4. THE IMPLICATION OF THE ACT ON EXISTING DATA PROTECTION REGULATIONS/GUIDELINES
The new Act did not repeal existing instruments issued by NITDA or the NDPB. Rather, it incorporated transitional provisions that would not invalidate the past and existing work of the former supervisory bodies. It provides that all orders, rules, regulations, decisions, directions, licences, authorisations, certificates, consents, approvals, declarations, permits, registrations, rates or other documents that were in effect before the coming into effect of the Act and that were made or issued by NITDA or NDPB will continue to be in effect as if they were made or issued by the new Commission until they expire or are repealed, replaced, reassembled or altered.38
The Act further asserts its superiority over privacy and data protection matters by stipulating that where there is any inconsistency in the provisions of any other laws or regulations with any provisions of the Act regarding the processing of personal data, the provisions of the Act will prevail.39 This section places priority on the Act over any law or regulation including the NDPR and its Implementation Framework regarding the processing of personal data in Nigeria.
5. CONCLUSION
The Nigeria Data Protection Act 2023 is a pivotal piece of legislation that recognizes the importance of data protection in the digital age. It provides a comprehensive framework to protect personal data, preserve privacy rights, and promote responsible data handling practices. It is a critical tool for safeguarding the fundamental privacy rights of individuals by establishing a legal framework that promotes responsible data handling, safeguards data subjects' rights, and enhances the nation's standing in the global data protection landscape. Its importance cannot be understated, as it finally establishes a federal law for data protection matters in Nigeria, hence the reason why its identified shortcomings need to be addressed timeously for its effective implementation.
Footnotes
1. Gazette No.119, Vol. 110 (1st July 2023).
2. Such as, National Health Act 2014, Cybercrimes (Prohibition, Prevention, etc.) Act 2015, Nigeria Communications Commission Consumer Code of Practice Regulation 2007, Child Rights Act 2003, Freedom of Information Act 2011 etc.
3. FMCDE, “President Buhari approves the Nigeria Data Protection Bureau (NDPB) and appoints Dr Olatunji as the Pioneer National Commissioner” available at: http://fmcde.gov.ng/index.php/president-buhari-approves-the-nigeria-data-protection-bureau-ndpb-and-appoints-dr-olatunji-as-the-pioneer-national-commissioner/#:~:text=President%20Muhammadu%20Buhari%2C%20GCFR%2C%20has,Isa%20Ali%20Ibrahim%20(Pantami) accessed 6th November 2023.
4. Section 4 of the Nigeria Data Protection Act 2023.
5. Section 6 of the Nigeria Data Protection Act 2023.
6. Section 5 of the Nigeria Data Protection Act 2023.
7. Nigeria Data Protection Regulation (NDPR) 2019.
8. Section 65 of the Nigeria Data Protection Act 2023.
9. DailyPost, “NDPC tasks data controllers and processors on protection compliance” available at: https://dailypost.ng/2023/07/24/ndpc-tasks-data-controllers-and-processors-on-protection-compliance/ accessed 6th November 2023.
10. Section 44 and Section 5 of the Nigeria Data Protection Act 2023.
11. Section 44 (6) of the Nigeria Data Protection Act 2023.
12. Section 45 of the Nigeria Data Protection Act 2023.
13. Section 32 (1) of the Nigeria Data Protection Act 2023.
14. Regulation 2.2 (a) – (e) of the Nigeria Data Protection Regulation 2019.
15. Section 25(1)(b)(v) of the Nigeria Data Protection Act 2023.
16. See Oliver Willis (2023), ‘Recognised Legitimate Interests: A New Lawful Basis', available at https://www.bdbpitmans.com/insights/recognised-legitimate-interests-a-new-lawful-basis/ accessed 27th October 2023.
17. General Data Protection Regulation, EU Directive 2016/679) (EU GDPR).
18. Section 25(2) (a) & 36 (2) of the Nigeria Data Protection Act 2023.
19. (i) consent of the Data Subject, (ii) for performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract, (iii) for compliance with a legal obligation to which the data controller or data processor is subject, (iv) to protect the vital interest of the data subject or another person, (v) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor. See Section 25(1)(a) & (b)(i) -(iv) of the Nigeria Data Protection Act 2023.
20. Section 25(2) (a-c) of the Nigeria Data Protection Act 2023.
21. Section 31 (1) of the Nigeria Data Protection Act 2023.
22. Section 31 (2) & (3) of the Nigeria Data Protection Act 2023.
23. Section 31 (4) (a-c) of the Nigeria Data Protection Act 2023.
24. Section 31 (5) of the Nigeria Data Protection Act 2023.
25. Section 31 (6) of the Nigeria Data Protection Act 2023. The Nigeria Child Rights Act, Cap L1, LFN 2004, serves as the parent law that safeguards the fundamental rights of a child in Nigeria.
26. Section 41 of the Nigeria Data Protection Act 2023.
27. (a) data subject has provided and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of adequate protections, (b) transfer is necessary for the performance of a contract to which a data subject is a party or in order to take steps at the request of a data subject, prior to entering into a contract, (c) transfer is for the sole benefit of a data subject and (i) it is not reasonably practicable to obtain the consent of the data subject to that transfer and (ii) if it were reasonably practicable to obtain such consent, the data subject would likely give it, (d) transfer is necessary for important reasons of public interest, (e) transfer is necessary for the establishment, exercise, or defense of legal claims, or (f ) transfer is necessary to protect the vital interests of a data subject or of other persons, where a data subject is physically or legally incapable of giving consent. See Section 43 (1) (a-f) of the Nigeria Data Protection Act 2023.
28. Section 41 (1) (a) & (b) of the Nigeria Data Protection Act 2023.
29. See Section 64(2)(f) of the Act.
30. Section 47 of the Nigeria Data Protection Act 2023.
31. Section 48 (3) (a) & (b) of the Nigeria Data Protection Act 2023.
32. Ibid. See subsection 4 & 5 (a) & (b).
33. Section 50 of the Nigeria Data Protection Act 2023.
34. Article 1.2 (b) NDPR.
35. Section 25 (1)(b)(v) of NDPA.
36. Article 4.1 (2) NDPR.
37. Section 32 NDPA.
38. Section 64 (2)(f) of the Act.
39. Section 63 of the Act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.